WEBVTT 1 00:00:00.000 --> 00:00:01.470 In this lesson, 2 00:00:01.470 --> 00:00:04.530 we will learn about Threat Actor Methods. 3 00:00:04.530 --> 00:00:08.070 Threat actor methods are the specific strategies 4 00:00:08.070 --> 00:00:12.480 and approaches attackers use to compromise systems 5 00:00:12.480 --> 00:00:15.600 to achieve their actions on objectives. 6 00:00:15.600 --> 00:00:20.400 Threat actor methods include abuse cases, antipatterns, 7 00:00:20.400 --> 00:00:23.070 and attack trees or graphs. 8 00:00:23.070 --> 00:00:26.730 Abuse cases are scenarios where legitimate features 9 00:00:26.730 --> 00:00:28.920 of a system are misused 10 00:00:28.920 --> 00:00:32.640 or exploited by attackers to cause harm. 11 00:00:32.640 --> 00:00:35.850 Next, antipatterns are common practices 12 00:00:35.850 --> 00:00:40.590 or solutions that, while initially appearing effective, 13 00:00:40.590 --> 00:00:44.850 actually create vulnerabilities or security risks. 14 00:00:44.850 --> 00:00:46.710 Finally, attack trees 15 00:00:46.710 --> 00:00:50.580 or graphs are visual vulnerability representations 16 00:00:50.580 --> 00:00:54.780 that map out the various paths an attacker might take 17 00:00:54.780 --> 00:00:57.210 to achieve a specific goal. 18 00:00:57.210 --> 00:01:00.930 Let's learn more about abuse cases, antipatterns, 19 00:01:00.930 --> 00:01:03.630 and attack trees or graphs. 20 00:01:03.630 --> 00:01:06.300 First, we have abuse cases. 21 00:01:06.300 --> 00:01:08.370 Abuse cases are scenarios 22 00:01:08.370 --> 00:01:11.400 where attackers manipulate legitimate features 23 00:01:11.400 --> 00:01:14.100 within a system to cause harm 24 00:01:14.100 --> 00:01:16.980 or gain unauthorized access. 25 00:01:16.980 --> 00:01:20.160 By exploiting intended functionalities, 26 00:01:20.160 --> 00:01:22.410 threat actors can use these features 27 00:01:22.410 --> 00:01:26.970 to bypass security controls or disrupt services. 28 00:01:26.970 --> 00:01:30.930 One example of an abuse case is the misuse of rating 29 00:01:30.930 --> 00:01:32.640 and review systems. 30 00:01:32.640 --> 00:01:36.270 Attackers or competitors might flood a platform 31 00:01:36.270 --> 00:01:37.500 with fake positive 32 00:01:37.500 --> 00:01:41.850 or negative reviews to manipulate a product's rating, 33 00:01:41.850 --> 00:01:45.510 influencing customer perception unfairly. 34 00:01:45.510 --> 00:01:49.380 This type of manipulation can damage reputations, 35 00:01:49.380 --> 00:01:51.030 mislead customers, 36 00:01:51.030 --> 00:01:53.970 or create artificial popularity, 37 00:01:53.970 --> 00:01:58.710 impacting a platform's credibility and user trust. 38 00:01:58.710 --> 00:02:02.880 Similar abuse cases may also arise when bots are used 39 00:02:02.880 --> 00:02:06.690 to upvote or downvote products or services, 40 00:02:06.690 --> 00:02:09.570 skewing rankings on the platform. 41 00:02:09.570 --> 00:02:12.120 Mitigating abuse cases like these 42 00:02:12.120 --> 00:02:14.610 requires review verification, 43 00:02:14.610 --> 00:02:18.030 such as identifying verified purchases 44 00:02:18.030 --> 00:02:22.080 or adding CAPTCHAs to minimize bot activity. 45 00:02:22.080 --> 00:02:24.630 Additionally, monitoring for patterns, 46 00:02:24.630 --> 00:02:26.610 like rapid review submissions 47 00:02:26.610 --> 00:02:30.540 or excessive reviews from the same IP address, 48 00:02:30.540 --> 00:02:33.870 can help identify suspicious behavior. 49 00:02:33.870 --> 00:02:36.420 Finally, implementing usage limits 50 00:02:36.420 --> 00:02:39.690 and conducting audits can reveal abuse 51 00:02:39.690 --> 00:02:43.320 and strengthen security around vulnerable features. 52 00:02:43.320 --> 00:02:45.810 Second, we have antipatterns. 53 00:02:45.810 --> 00:02:48.060 Antipatterns are poor practices 54 00:02:48.060 --> 00:02:49.620 or design choices 55 00:02:49.620 --> 00:02:52.830 that inadvertently create security risks, 56 00:02:52.830 --> 00:02:56.790 even if they seem functional or efficient on the surface. 57 00:02:56.790 --> 00:02:58.530 Unlike coding flaws, 58 00:02:58.530 --> 00:03:02.130 antipatterns usually result from inadequate planning 59 00:03:02.130 --> 00:03:05.790 or misconceptions about obscurity effectiveness 60 00:03:05.790 --> 00:03:08.070 in a security context. 61 00:03:08.070 --> 00:03:13.070 For example, encoding a password in Base64 might seem 62 00:03:13.080 --> 00:03:16.050 like a quick way to hide the password, 63 00:03:16.050 --> 00:03:19.950 but Base64 merely changes the format 64 00:03:19.950 --> 00:03:24.950 without securing the data, and it is easily reversible. 65 00:03:25.230 --> 00:03:27.660 For instance, encoding a password 66 00:03:27.660 --> 00:03:32.130 like SuperSecretPassword123! 67 00:03:32.130 --> 00:03:35.100 in Base64 produces the string 68 00:03:35.100 --> 00:03:36.840 that is shown on the screen, 69 00:03:36.840 --> 00:03:39.750 which looks impossible to decode, 70 00:03:39.750 --> 00:03:42.990 but can quickly be decoded by online tools, 71 00:03:42.990 --> 00:03:44.970 such as CyberChef, 72 00:03:44.970 --> 00:03:48.240 leading to potentially compromised accounts. 73 00:03:48.240 --> 00:03:50.340 Another common antipattern 74 00:03:50.340 --> 00:03:53.040 is hardcoding sensitive information, 75 00:03:53.040 --> 00:03:54.240 like passwords, 76 00:03:54.240 --> 00:03:57.300 or application programming interface keys 77 00:03:57.300 --> 00:03:59.130 within source code. 78 00:03:59.130 --> 00:04:02.760 While this may simplify development and integration, 79 00:04:02.760 --> 00:04:05.940 it exposes critical data to anyone 80 00:04:05.940 --> 00:04:08.700 who accesses the code repository. 81 00:04:08.700 --> 00:04:13.700 So if the repository is cloned, shared, or breached, 82 00:04:13.800 --> 00:04:17.400 hardcoded credentials are then easily accessible, 83 00:04:17.400 --> 00:04:20.430 putting systems at significant risk. 84 00:04:20.430 --> 00:04:24.630 Hardcoding sensitive information introduces vulnerabilities 85 00:04:24.630 --> 00:04:28.710 that attackers can exploit to gain unauthorized access 86 00:04:28.710 --> 00:04:31.230 or compromise system integrity. 87 00:04:31.230 --> 00:04:33.660 So mitigating antipatterns 88 00:04:33.660 --> 00:04:36.750 involves securely storing sensitive data 89 00:04:36.750 --> 00:04:39.030 using environment variables, 90 00:04:39.030 --> 00:04:43.410 instead of hardcoding values directly into code. 91 00:04:43.410 --> 00:04:47.400 Environment variables are stored outside the code base, 92 00:04:47.400 --> 00:04:49.800 reducing the risk of exposure 93 00:04:49.800 --> 00:04:52.560 if the code is shared or breached. 94 00:04:52.560 --> 00:04:55.560 Additionally, secure development frameworks, 95 00:04:55.560 --> 00:04:57.870 like Django for Python 96 00:04:57.870 --> 00:05:00.750 or Spring Security for Java, 97 00:05:00.750 --> 00:05:05.040 provide built-in protections against common vulnerabilities 98 00:05:05.040 --> 00:05:09.330 and guide developers to follow safe coding practices. 99 00:05:09.330 --> 00:05:12.720 Finally, regular code reviews, encryption, 100 00:05:12.720 --> 00:05:14.400 and hashing techniques 101 00:05:14.400 --> 00:05:17.700 further reduce anti-pattern vulnerabilities, 102 00:05:17.700 --> 00:05:21.600 reinforcing security throughout an application. 103 00:05:21.600 --> 00:05:26.130 Third and last, we have attack trees or graphs. 104 00:05:26.130 --> 00:05:29.640 Attack trees or graphs are visual representations 105 00:05:29.640 --> 00:05:31.080 or diagrams 106 00:05:31.080 --> 00:05:35.190 that outline the different pathways an attacker might take 107 00:05:35.190 --> 00:05:37.320 to achieve a specific goal, 108 00:05:37.320 --> 00:05:39.510 visually detailing the structure 109 00:05:39.510 --> 00:05:43.530 and steps involved in each potential attack. 110 00:05:43.530 --> 00:05:47.160 These diagrams break down a main objective, 111 00:05:47.160 --> 00:05:49.800 such as unauthorized access, 112 00:05:49.800 --> 00:05:52.530 into smaller, actionable components, 113 00:05:52.530 --> 00:05:55.710 such as entry points, privilege escalation, 114 00:05:55.710 --> 00:05:57.690 and lateral movement. 115 00:05:57.690 --> 00:05:59.340 Attack trees are valuable 116 00:05:59.340 --> 00:06:01.530 for identifying the different layers 117 00:06:01.530 --> 00:06:03.690 and steps in an attack, 118 00:06:03.690 --> 00:06:05.550 allowing security teams 119 00:06:05.550 --> 00:06:09.240 to anticipate and defend each path. 120 00:06:09.240 --> 00:06:10.620 A practical example 121 00:06:10.620 --> 00:06:14.340 of using an attack tree would be mapping out a scenario 122 00:06:14.340 --> 00:06:15.630 where an attacker attempts 123 00:06:15.630 --> 00:06:19.920 to compromise sensitive data within a company's network. 124 00:06:19.920 --> 00:06:24.210 The attack tree might start with entry points like phishing, 125 00:06:24.210 --> 00:06:27.510 weak passwords, weak access controls, 126 00:06:27.510 --> 00:06:31.380 or exploiting unpatched software vulnerabilities. 127 00:06:31.380 --> 00:06:33.030 From each entry point, 128 00:06:33.030 --> 00:06:35.700 the tree would branch into further steps, 129 00:06:35.700 --> 00:06:40.560 such as escalating privileges to access-restricted areas, 130 00:06:40.560 --> 00:06:44.940 or moving laterally within the network to reach databases. 131 00:06:44.940 --> 00:06:46.260 In this scenario, 132 00:06:46.260 --> 00:06:47.640 each node of the tree 133 00:06:47.640 --> 00:06:50.730 would represent a potential attack phase, 134 00:06:50.730 --> 00:06:54.660 allowing security teams to visualize where defenses need 135 00:06:54.660 --> 00:06:56.130 to be the strongest, 136 00:06:56.130 --> 00:06:57.810 and implementing them. 137 00:06:57.810 --> 00:07:01.350 To mitigate risks identified through attack trees, 138 00:07:01.350 --> 00:07:04.650 organizations can focus security resources 139 00:07:04.650 --> 00:07:07.050 on specific attack steps. 140 00:07:07.050 --> 00:07:11.490 This includes conducting regular vulnerability assessments, 141 00:07:11.490 --> 00:07:13.860 maintaining up-to-date patching, 142 00:07:13.860 --> 00:07:17.670 and enforcing least-privilege access policies. 143 00:07:17.670 --> 00:07:19.110 By using attack trees 144 00:07:19.110 --> 00:07:22.920 to plan layered defenses against attack pathways, 145 00:07:22.920 --> 00:07:26.790 organizations can proactively address vulnerabilities 146 00:07:26.790 --> 00:07:28.230 and strengthen protection 147 00:07:28.230 --> 00:07:31.530 across all potential network attack routes. 148 00:07:31.530 --> 00:07:33.600 So remember, 149 00:07:33.600 --> 00:07:37.920 threat actor methods encompass the strategies attackers use 150 00:07:37.920 --> 00:07:39.690 to exploit systems, 151 00:07:39.690 --> 00:07:42.870 aiming to achieve specific objectives. 152 00:07:42.870 --> 00:07:47.010 These methods include abuse cases, antipatterns, 153 00:07:47.010 --> 00:07:49.650 and attack trees or graphs. 154 00:07:49.650 --> 00:07:51.150 Abuse cases occur 155 00:07:51.150 --> 00:07:54.630 when attackers misuse legitimate system features, 156 00:07:54.630 --> 00:07:58.530 bypassing controls or disrupting services. 157 00:07:58.530 --> 00:08:01.680 Next, antipatterns are poor practices 158 00:08:01.680 --> 00:08:04.770 or design choices that appear useful, 159 00:08:04.770 --> 00:08:07.140 but introduce security risks, 160 00:08:07.140 --> 00:08:10.680 such as inadequate data protection techniques. 161 00:08:10.680 --> 00:08:14.430 Finally, attack trees or graphs are visual tools 162 00:08:14.430 --> 00:08:17.010 that map out potential attack paths, 163 00:08:17.010 --> 00:08:19.650 helping security teams anticipate 164 00:08:19.650 --> 00:08:23.100 and defend against possible threats. 165 00:08:23.100 --> 00:08:25.950 Understanding these threat actor methods 166 00:08:25.950 --> 00:08:30.120 enables organizations to identify vulnerabilities 167 00:08:30.120 --> 00:08:33.483 and strengthen their defenses proactively.